“We don’t negotiate with terrorists,” Los Angeles Unified School District Superintendent Alberto Carvalho told audience members at the first-ever cybersecurity summit hosted by the White House on Tuesday. As K12 schools continue in their battle against a consistent plague of targeted ransomware attacks, leaders at this event shared their experiences with high-profile cyberattacks and discussed the next steps to ensure the safety of America’s public schools.
“If we want to safeguard our children’s futures we must protect their personal data,” said first lady Jill Biden, who is also a teacher. “Every student deserves the opportunity to see a school counselor when they’re struggling and not worry that these conversations will be shared with the world.”
Large districts aren’t spared
In 2023 alone, there have been at least 48 ransomware attacks against school districts, the Associated Press reports. These incidents come off the heels of a troubling year which revealed that even the largest and resource-rich districts aren’t safe from cybercriminals. That includes LAUSD, the second-largest school district in the U.S.
During the summit, Carvalho reflected on that experience and shared his takeaways with those at the gathering.
“We did not pay the ransom,” he said. According to the AP, he explained that he was told by the FBI that paying ransoms doesn’t guarantee the protection of your school’s data. Eventually, it’s likely that it will find its way onto the dark web for criminals to exploit and leverage for identity theft and other crimes. LAUSD was just one of several large districts to face a major cyberattack.
“Last school year, schools in Arizona, California, Washington, Massachusetts, West Virginia, Minnesota, New Hampshire and Michigan were all victims of major cyber attacks,” said Anne Neuberger, the deputy national security advisor for cyber.
Resources are on the way
Several measures were announced at the summit that aims to support K12 public schools in their fight against cybercriminals. These include advancements to tailored security assessments for K12 by the Cybersecurity and Infrastructure Security Agency (CISA), as well as grants and support from technology providers like Amazon Web Services, Google and Cloudflare, the AP reports.
More from DA: Meet ‘Ed,’ L.A. Unified’s new artificially intelligent student advisor
An additional pilot proposed by Federal Communications Commission Chair Jessica Rosenworcel awaits a vote by the agency, which would provide $200 million over three years to bolster cyber defenses in schools and libraries.
The long-lasting effects of cyberattacks
The AP recently published a report that revealed just how serious the events following a major cyber attack are. In worst-case scenarios, security experts often uncover confidential documents belonging to students on the dark web that detail sensitive information, including “sexual assaults, psychiatric hospitalizations, abusive parents, truancy—even suicide attempts,” writes AP‘s Frank Bajak, Heather Hollingsworth and Larry Fenn.
This is commonly the result of a tactic used by cybercriminals called “double extortion,” Cyber Threat Intelligence Manager at the Center for Internet Security TJ Sayers recently told District Administration. In this case, “ransomware actors exfiltrate data and encrypt it, making it inaccessible without special decryption keys. Then, if the ransom isn’t paid, they not only withhold the key, they threaten to expose the student data online.”
But as Carvalho mentioned at the summit, paying for a key does not prevent data leaks. Instead, the threat actors may wait several months to dump the files on the dark web.
“This tactic enables these groups to obfuscate the practice and complicate efforts that seek to draw connections between a ransomware attack, victim payment and that data still making it onto the dark web for sale,” Sayers said.
Guidelines from the Department of Education
While K12 leaders await further federal support, administrators should leverage the already available resources from the U.S. Department of Education. Here are several quick tips and best practices found on the Department’s website that leaders should review as the 2023-24 school year gets underway:
- Addressing Adversarial and Human Caused Threats That May Impact Students, Staff, and Visitors
- Data Breach Scenario Training Kits
- Data Breach Response Checklist
- Cybersecurity Considerations for K12 Schools and School Districts
